[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2015076012A1 - Electronic control device and software rewriting system - Google Patents

Electronic control device and software rewriting system Download PDF

Info

Publication number
WO2015076012A1
WO2015076012A1 PCT/JP2014/075108 JP2014075108W WO2015076012A1 WO 2015076012 A1 WO2015076012 A1 WO 2015076012A1 JP 2014075108 W JP2014075108 W JP 2014075108W WO 2015076012 A1 WO2015076012 A1 WO 2015076012A1
Authority
WO
WIPO (PCT)
Prior art keywords
software
rewriting
state
program
electronic control
Prior art date
Application number
PCT/JP2014/075108
Other languages
French (fr)
Japanese (ja)
Inventor
敏志 静
Original Assignee
トヨタ自動車株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by トヨタ自動車株式会社 filed Critical トヨタ自動車株式会社
Publication of WO2015076012A1 publication Critical patent/WO2015076012A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/654Updates using techniques specially adapted for alterable solid state memories, e.g. for EEPROM or flash memories

Definitions

  • the present invention relates to an electronic control device that updates software stored in a storage unit with software transmitted from the outside.
  • an electronic control device Many devices mounted on the vehicle are controlled by an electronic control device. Depending on the vehicle, several tens or more electronic control devices may be mounted, and each controls an engine, a brake, a power steering, a transmission, a door lock, a navigation device, and the like. Each electronic control unit communicates with each other via a network and operates as a system or performs coordinated control with each other.
  • the electronic control device has a microcomputer, and the microcomputer performs various controls by executing programs. Although this program is stored in a nonvolatile memory, the program stored in the nonvolatile memory can be rewritten from the outside so that the program can be upgraded after shipment of the vehicle.
  • Patent Document 1 monitors whether the ignition switch is ON or OFF during rewriting of the program. If the ignition switch is OFF, the rewriting process is stopped and a failure detection stop command is issued to another electronic control unit. A rewriting device to perform is disclosed. Thereby, even if the power is accidentally shut off during rewriting of the program of the electronic control device, rewriting can be performed by turning on the power again, while failure detection can be stopped.
  • the rewriting device described in Patent Document 1 has a problem in that battery power continues to be consumed because the ignition switch state determination process is continuously performed in order to resume the rewriting after the rewriting process is stopped. .
  • a microcomputer that operates even when the ignition switch is OFF (always power supply system microcomputer)
  • it stays stuck in the program rewrite mode, and power is supplied until the user or service person notices that the battery is removed, and the battery runs out. There is a risk.
  • Patent Document 1 after the rewrite process is stopped, the rewrite process cannot be resumed unless the ignition switch is turned on. For example, if the ignition switch is stuck abnormally (the ignition switch remains off) when the vehicle is momentarily turned off due to a drop in battery voltage, the electronic control unit stops the rewriting process. Stagnated in the state of being. Further, for example, when the electronic control device that controls the power supply transition is to be rewritten, if the IG-OFF is instantaneously turned off due to the battery voltage drop, the electronic control device stagnates in a state where the rewrite processing is stopped. In the worst case, the electronic control device needs to be replaced if the rewriting process is stopped in a stopped state.
  • an object of the present invention is to provide an in-vehicle control device capable of avoiding a stagnation even if an abnormality occurs in a program rewrite mode.
  • the present invention is an electronic control device that updates software stored in a storage unit with software transmitted from the outside of the vehicle, and when there is a software rewrite request from outside or inside the vehicle.
  • an in-vehicle control device capable of avoiding a stagnation as it is even if an abnormality occurs in a program rewrite mode.
  • FIG. 10 is an example of a flowchart for explaining a program rewriting procedure of the electronic control device (second embodiment);
  • FIG. 1 is an example of a flowchart for explaining an outline of a procedure for updating a program by the microcomputer according to the present embodiment.
  • the program be rewritten in the IG (ignition) -ON state.
  • the microcomputer operates in the normal operation mode when the reset is released.
  • the normal operation mode is an operation mode in which the electronic control device executes the program to be rewritten and controls the in-vehicle device.
  • the microcomputer repeatedly executes the normal operation mode when there is no rewrite request from a tool described later.
  • the normal operation mode when the IG-OFF state is entered, the battery power is not consumed greatly because the mode is shifted to the low power consumption mode.
  • the microcomputer performs predetermined authentication when it receives a rewrite request from the tool, and when authentication is established, the microcomputer shifts to a program rewrite mode.
  • the microcomputer of the present embodiment determines whether or not the engine operating state is the IG-ON state after shifting to the program rewriting mode.
  • shifting to the program rewrite mode means the timing before the rewrite starts. In other words, it can be expressed as a process of shifting from the normal operation mode to the program rewriting mode, at the time of shifting to the program rewriting mode, or immediately after shifting to the program rewriting mode.
  • FIG. 2 is an example of a system configuration diagram.
  • One or more electronic control units (ECUs) 100 are mounted on the vehicle.
  • Each electronic control unit operates with battery power, but the electronic control unit 100 according to the present embodiment is always supplied with power from the battery even in the IG-OFF state. This is because in the IG-OFF state, the electronic control device 100 to which power is not supplied does not cause a problem that the battery goes up.
  • the electronic control device 100 and the tool 50 are connected via the CAN bus 14.
  • the CAN bus 14 has a DLC (data link connector) connector 15 for connecting a tool 50 outside the vehicle, and the tool 50 communicates with the electronic control unit 100 via the DLC connector 15.
  • the DLC connector 15 is disposed, for example, at the lower right of the meter panel of the driver's seat.
  • the driver brings the vehicle to the dealer when he / she knows the malfunction of the vehicle during periodic inspections, and the service person generally connects the tool 50 to the DLC connector 15.
  • the service person operates the tool 50, rewriting of the program is started.
  • a driver or the like may rewrite in addition to the service person, and the subject is not limited.
  • a meter ECU for example, a meter ECU, an engine ECU, an HV (hybrid) -ECU, a brake ECU, a power supply control ECU, a transmission ECU, a gateway, a body ECU, a navigation control ECU, an electric power steering ECU, a verification ECU
  • an air conditioner ECU for detecting an obstacle, and the like.
  • the names of these electronic control devices 100 are examples, and may be applied to other electronic control devices 100, or may be applied to some or all of them.
  • the electronic control device 100 mainly includes a microcomputer 11, a power supply circuit 13, and an IC 12.
  • the power supply circuit 13 is a converter that steps down the power of the battery 16 and supplies a constant voltage to terminals of the microcomputer 11 and the IC 12 (both not shown).
  • the microcomputer 11 includes a CPU 21, a cache memory 22, a flash memory 23, a CAN controller 24, a RAM 25, and an I / O 26 connected to a bus.
  • the CPU 21 executes a program OLD 32 (hereinafter, not shown) stored in the flash memory 23, and executes a rewrite program 34 stored in the flash memory 23 in the rewrite mode.
  • the program OLD is a program for executing processing unique to the electronic control apparatus 100, and the microcomputer 11 executes the program OLD to execute, for example, processing of signals detected by sensors, calculation, control of actuators, and the like.
  • the program OLD and the program NEW are examples of the claimed software.
  • the software includes software describing processing performed by the CPU 21, such as firmware.
  • the microcomputer 11 executes a rewriting program 34 (hereinafter, reference numerals are omitted), and updates the program OLD with the program NEW.
  • a rewriting program may be included in the program OLD32, and the rewriting program may be saved in a memory other than the rewriting target at the time of rewriting the program.
  • the cache memory 22 is a high-speed and small-capacity storage element (for example, SRAM (Static RAM)) that stores a copy of a part of the program OLD or rewrite program stored in the flash memory 23.
  • the CPU 21 accesses the flash memory 23 via the cache memory 22.
  • the cache memory 22 generates a page fault. Therefore, the CPU 21 reads a program (program OLD or rewrite program) from the flash memory 23 and writes it to the cache memory 22.
  • the cache memory 22 is described outside the CPU 21 in the figure, the cache memory 22 may be built in the CPU 21. There is also a microcomputer 11 having a plurality of cache memories 22 and having a cache memory 22 called a primary cache to a tertiary cache in the order closer to the CPU 21. In this embodiment, the cache memory 22 may be arranged either inside or outside the CPU 21.
  • the RAM 25 serves as a working memory when the CPU 21 executes the program OLD or the rewrite program.
  • the program NEW transmitted from the tool 50 is temporarily stored.
  • the microcomputer 11 in which the program NEW transmitted from the tool 50 is temporarily stored in the cache memory 22 instead of the RAM 25. In this embodiment, it may be stored in either.
  • the flash memory 23 is an example of a rewritable nonvolatile memory, and may be a rewritable nonvolatile memory instead of the flash memory 23.
  • Examples of rewritable nonvolatile memory include EEPROM, FeRAM (Ferroelectric Random Access Memory), MRAM (Magnetoresistive Random Access Memory), and the like.
  • the CAN controller 24 is connected to the CAN bus 14 and receives a program NEW from the tool 50 according to the CAN protocol.
  • the CAN protocol is an example, and may be FlexRay, Ethernet (registered trademark), MOST, LIN, or the like. Further, instead of physically connecting the tool 50 and the electronic control device 100, for example, they may be connected by wireless communication such as wireless LAN or Bluetooth (registered trademark). Further, the program NEW may be downloaded from the server by communicating with a server (not shown) via a public mobile phone network or a wireless LAN network.
  • the I / O 26 is an input / output interface such as UART (Universal Asynchronous Receiver Transmitter) or SPI (Serial Peripheral Interface).
  • the CPU 21 inquires whether the program can be rewritten to the IC 12 via the I / O 26 or requests the microcomputer 11 to be reset. Further, the CPU 21 obtains permission for program rewriting from the IC 12 via the I / O 26.
  • the IC 12 resets the microcomputer 11 or determines whether or not the program can be rewritten and permits the rewriting.
  • the IC 12 obtains the determination request from the microcomputer 11, it determines whether the microcomputer 11 is in a state where the program OLD can be rewritten.
  • the contents of the determination vary depending on the microcomputer 11, for example, whether or not the battery voltage is equal to or higher than a threshold value or whether or not the microcomputer 11 has an abnormality.
  • the IC 12 outputs the determination result to the I / O 26 and, for example, sets the signal line connected to the mode SW 27 of the microcomputer 11 to High. Thereby, the mode SW27 is turned on. The mode SW27 is turned off when the microcomputer 11 is reset.
  • the microcomputer 11 obtains rewrite permission from the IC 12 and enters the program writing mode while the mode SW 27 is ON. It should be noted that the program write mode may be entered in accordance with either rewriting permission or mode SW27 being ON. Alternatively, the program rewrite mode may be entered without inquiring of the IC 12. Such an operation of the IC 12 is merely an example, and is not limited to such an operation.
  • the IC 12 has a function of resetting the microcomputer 11.
  • Reset means that the microcomputer 11 is forcibly restarted and returned to the starting state. More specifically, the microcomputer 11 is restarted by reset release.
  • the reset circuit included in the IC 12 includes a resistor 121 connected to the constant voltage Vcc generated by the power supply circuit 13, a capacitor 122, and a switch 123.
  • the switch 123 When the switch 123 is ON, RES # 28 of the microcomputer 11 becomes Low, and the microcomputer 11 is in a state in which the stored contents are initialized.
  • the switch 123 is OFF, the constant voltage Vcc is input to the RES # 28 of the microcomputer 11, the RES # 28 becomes High, and the reset is released.
  • the microcomputer 11 may directly reset itself.
  • a reset circuit switch 123 is connected to the microcomputer 11, and the microcomputer 11 can be reset by turning on the switch 123.
  • the tool 50 is an information processing apparatus, and includes a CPU, a ROM, a RAM, an I / O, and the like (not shown).
  • the CAN controller 24 is connected to the CAN bus 14.
  • a program NEW31 (hereinafter, reference numerals are omitted) is stored.
  • the program NEW is a program that can be replaced with the program OLD of the electronic control device 100.
  • the service person copies the program NEW distributed on a storage medium such as a USB memory to the ROM or RAM of the tool 50 before the rewriting work.
  • the tool 50 may be connected to a PC (Personal Computer), and the program NEW downloaded from the server by the PC via the Internet may be copied to the tool 50.
  • the PC may be a tool body.
  • FIG. 3 shows an example of a functional block diagram of the program OLD and the rewrite program.
  • the program OLD is executed in the normal operation mode, and the rewrite program is executed in the rewrite mode.
  • the correctness / incorrectness determination unit 42 is executed to determine whether or not the microcomputer 11 is normal immediately after the resetting of the microcomputer 11, and thus may not be included in the normal operation mode.
  • the correctness determination unit 42 is executed immediately after the reset of the microcomputer 11 is released.
  • the correctness determination unit 42 is a program that determines whether at least the program OLD stored in the flash memory 23 is normal. In addition to the program OLD, it may be determined whether or not the rewrite program is normal, or it may be determined whether or not the entire flash memory 23 is normal.
  • the correctness determination unit 42 determines whether the program OLD is bit-inverted due to noise or the like. Any determination method may be used, for example, checksum, CRC, MD5 (Message Digest Algorithm 5).
  • the vehicle control unit 41 controls an in-vehicle device connected to the electronic control device 100, and performs sensing using a sensor, reception of data from other electronic control devices, calculation, control of an actuator, and the like. . Until the “rewrite request” is transmitted from the tool 50, or except in a special situation where an abnormality is detected, the vehicle control unit 41 periodically repeats the process.
  • the “rewrite request” is information for requesting rewriting of a program, for example, and may be transmitted in any manner such as a command, data, or signal. Moreover, the information which designates ECU and a program may be included.
  • the program NEW is downloaded from the server and temporarily held by an arbitrary electronic control device, or the program NEW transmitted from the tool 50 is temporarily held by an arbitrary electronic control device.
  • an arbitrary electronic control device may output a “rewrite request” in order to control rewriting of the program OLD in the flash memory 23 of the electronic control device 100. Therefore, the “rewrite request” may be transmitted from inside the vehicle other than the tool 50.
  • the vehicle control unit 41 requests the rewrite determination unit 43 to determine whether or not the rewrite condition of the program OLD is satisfied. This determination includes, in addition to the same contents as the determination by the IC 12, whether or not the load on the CPU 21 is high and whether or not there is an abnormality.
  • the rewrite determination unit 43 outputs a determination request to the IC 12. Accordingly, the IC 12 turns on the mode SW 27 and returns the determination result to the microcomputer 11.
  • the rewrite determining unit 43 calls the rewrite program starting unit 44 with reference to the state of the mode SW 27 and the determination result.
  • the rewrite program starting unit 44 sets the start address of the rewrite program in the PC (program counter) of the CPU 21. By doing so, the CPU 21 can execute the rewrite program, and the following rewrite program functions are realized.
  • the rewrite program includes an IG determination unit 45, a rewrite unit 48, a reset unit 46, and a correctness determination unit 47.
  • the IG determination part 45 is one of the characteristic parts of this embodiment with respect to the prior art.
  • the IG determination unit 45 determines whether the IG-ON state or the OFF state before the rewriting unit 48 starts rewriting. Whether IG-ON or OFF may be monitored, for example, by monitoring the voltage of the IGSW terminal of the electronic control device 100.
  • the reset unit 46 requests the IC 12 to reset the microcomputer 11 in the following cases. -When not in the IG-ON state after shifting to the program rewrite mode-When the rewrite is completed normally Among these, resetting when not in the IG-ON state is one of the features of this embodiment with respect to the prior art.
  • the rewriting unit 48 stores the program NEW received from the tool 50 via the CAN bus in the RAM 25 which is a working memory, and writes the program NEW from the RAM 25 to the flash memory 23.
  • the flash memory 23 may be rewritten only by the program OLD, or the entire flash memory 23 may be rewritten.
  • the microcomputer 11 transfers the rewriting program to the RAM 25 or the like in advance.
  • the rewriting unit 48 repeats the reception of the program NEW, the writing to the RAM 25, and the transfer from the RAM 25 to the flash memory 23 until the rewriting end command is received from the tool 50. Since the address map of the flash memory 23 is known, the program NEW may be written in the address range of the program OLD.
  • the function of the correctness / incorrectness determination unit 47 of the rewrite program is the same as that of the program OLD. Since the rewriting program has the correct / incorrect determination unit 47, correct / incorrect determination can be performed after rewriting is completed, and rewriting can be performed again when the rewriting program is not normal.
  • FIG. 4 is an example of a flowchart showing a program rewriting procedure of a conventional electronic control device.
  • the correctness determination unit 42 determines whether the flash memory 23 is correct (S10). The reset is released when the battery 16 is connected or when an abnormality is detected, in addition to reset after rewriting the program OLD.
  • the microcomputer 11 If the flash memory 23 is normal (Yes in S10), the microcomputer 11 is in a normal operation mode, and the vehicle control unit 41 performs vehicle control to be performed by the electronic control device 100 (S20).
  • the vehicle control unit 41 repeats the same processing every predetermined cycle time, but in the meantime, the serviceman may connect the tool 50 and transmit a rewrite request. In this case, the vehicle control unit 41 causes the rewrite determination unit 43 to determine whether or not rewriting is possible (S30).
  • the vehicle control unit 41 continues vehicle control.
  • the rewrite program activation unit 44 activates the rewrite program. As a result, the microcomputer 11 enters the program rewrite mode. Note that if the transition is successful, the mode SW 27 is ON when the program rewrite mode is transitioned to, but whether or not the program rewrite mode is selected does not matter whether the mode SW 27 is ON or OFF.
  • the rewrite unit 48 communicates with the tool 50 and starts rewriting the flash memory 23 without determining whether or not the microcomputer 11 in the conventional rewrite mode is in the IG-ON state (S40).
  • a rewrite start command is transmitted from the tool 50, and rewriting of the memory starts.
  • the rewriting unit 48 repeatedly requests the tool 50 for a part of the next program NEW until the rewriting is completed while writing a part of the program NEW transmitted from the tool 50 to the flash memory 23 (S50). Completion of rewriting is determined by receiving the end of data (EOF) from the tool 50, completion of writing of the amount of data received at the start of rewriting, and the like.
  • EAF end of data
  • the rewriting unit 48 receives a rewriting end command from the tool 50 (S60). Thereby, the communication with the tool 50 can be terminated.
  • the correctness determination unit 47 determines whether the flash memory 23 is correct (S70). In addition, the correctness determination of step S70 is not essential.
  • the reset unit 46 requests the IC 12 to reset the microcomputer 11, so that the microcomputer 11 is reset (S80).
  • the processing from step S10 onward is repeated, so that it is determined as normal by the correctness determination, and the microcomputer 11 enters the normal operation mode.
  • the microcomputer 11 can rewrite the program OLD, detect that the rewriting has failed, and rewrite it again.
  • FIG. 5A is an example of a flowchart for explaining inconveniences caused by a program rewriting procedure of a conventional electronic control apparatus.
  • the rewrite determination unit 43 determines that the rewrite mode can be entered (S30). At this time, a delay time occurs until the rewriting unit 48 communicates with the tool 50 and starts rewriting the memory.
  • the service person operates the tool 50, but may operate IG-OFF before transmitting the rewrite start command for some reason. Although power is supplied to the + B terminal even when operated to IG-OFF, the microcomputer 11 can operate, but since it has shifted to the program rewrite mode, it cannot enter the low power consumption mode as in the normal operation mode.
  • the tool 50 cannot detect the vehicle abnormality (IG-OFF). Even in the program rewrite mode, when the tool 50 enters the IG-OFF state after transmitting the rewrite start command, the tool 50 determines that the rewrite conditions are not satisfied (determines that the IG-OFF state is established). ) It can be reset or rewriting can be completed. In these cases, the tool 50 displays an error, so that the user can grasp that rewriting has failed.
  • IG-OFF vehicle abnormality
  • FIG. 5B is an example of a flowchart for explaining another inconvenience caused by the program rewriting procedure of the conventional electronic control device 100.
  • FIG. 5B it is assumed that the state is already in the IG-OFF state.
  • the microcomputer 11 in the normal operation mode is executing vehicle control, there is a case where the program OLD is being executed before shifting to the low power consumption mode even when the IG-OFF is set. Also, the program OLD may be executed in order to monitor the presence / absence of abnormality by periodically starting even in the low power consumption mode. For this reason, there is a possibility that the CPU 21 executes the rewriting program due to an abnormality in the program counter.
  • the rewrite program tries to rewrite the program OLD by communicating with the tool 50.
  • the microcomputer 11 stagnates in the rewrite mode and cannot enter the low power consumption mode. For this reason, there existed a possibility of leading to a battery exhaustion.
  • the driver accidentally shifts to the rewrite mode during the IG-ON state, the driver or the like is in the vehicle, so that it can be noticed by a feeling of strangeness in the behavior or lighting of an alarm on the meter.
  • a mechanism such as a watchdog timer.
  • FIG. 6 is an example of a flowchart for explaining a program rewriting procedure of the electronic control apparatus 100 of this embodiment. Compared with FIGS. 5A and 5B, step S35 is added.
  • step S30 when it is determined in step S30 to shift to the rewrite mode, it is determined whether or not the IG determination unit 45 is in the IG-ON state (S35). Thereby, it can be detected that the IG-OFF is operated before the rewriting starts. Note that the determination as to whether or not the IG-ON state is present may be made before shifting to the rewrite mode.
  • the reset unit 46 When it is in the IG-OFF state (No in S35), the reset unit 46 resets the microcomputer 11 (S80). Therefore, when the service person operates IG-OFF after shifting to the rewrite mode, the microcomputer 11 can return to the normal operation mode.
  • step S10 determines whether or not it is in the IG-ON state. Can be reset.
  • FIG. 7 is a modification of the procedure of FIG. The difference from FIG. 6 is that, when it is determined No in step S50, it is determined whether or not the IG-ON state in step S35. As described above, in the procedure of FIG. 7, it is determined whether or not the IG-ON state is set periodically, periodically, or at an arbitrary timing such as when the load decreases. It is also effective to make a regular determination using a timer. By determining whether or not the IG-OFF state is made a plurality of times before the rewriting is completed, it is possible to detect whether or not the IG-OFF state is being rewritten.
  • the microcomputer 11 of the present embodiment can prevent the battery from running out even if it is operated IG-OFF during the rewrite mode.
  • the microcomputer 11 that performs correct / incorrect determination after IG determination will be described.
  • the processing based on correctness / incorrectness determination, if the service person wants to rewrite and accidentally operates IG-OFF, the rewriting can be performed again.
  • the components described in the first embodiment perform the same function, and therefore, only the main components of the present embodiment may be mainly described.
  • FIG. 8 is an example of a flowchart for explaining a program rewriting procedure of the electronic control device 100 according to the present embodiment. Compared with FIG. 7, step S37 is added.
  • step S30 If it is determined in step S30 to shift to the rewrite mode, it is determined whether or not the IG determination unit 45 is in the IG-ON state (S35). As described above, it can be detected that the service person has operated IG-OFF after shifting to the rewrite mode.
  • the correctness determination unit 47 When it is in the IG-OFF state (No in S35), the correctness determination unit 47 performs correctness determination (S37). For example, there may be a case where a serviceman erroneously operates IG-OFF during rewriting. In this case, since the flash memory 23 has been rewritten only halfway, the service person should rewrite it. In this case, it is assumed that the correctness / incorrectness determination is not normal.
  • the rewrite unit 48 rewrites the memory (S40).
  • the subsequent processing is the same as in FIG.
  • rewriting can be performed when the serviceman erroneously operates IG-OFF during rewriting, and the normal operation mode can be returned in other cases.
  • the correctness determination in the added step S37 is originally a logic that the rewrite program has or a logic that is executed immediately after the reset is released, the change cost of the rewrite program can be suppressed.
  • the reset is performed when the IG-ON state is not set, but the reset may be performed when the ACC-ON state is not set.
  • the microcomputer returns to the normal operation mode by resetting the microcomputer
  • the normal operation mode may be returned to, for example, by setting the address of the program OLD in the program counter.
  • the distinction between the normal operation mode and the program rewrite mode may not be clear, and the two operation modes may not be distinguished.
  • the determination as to whether or not the rewriting has started is based on the fact that the rewriting start command is transmitted.
  • the microcomputer has received the first part of the program NEW or the first part of the program NEW. May be determined to be started by rewriting to the flash memory 23.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

An electronic control device (100) for updating software (32) stored in a storage unit (23) with software (31) transmitted from the outside of a vehicle (50), and characterized by being equipped with: a determination means (43) that determines whether the ignition is in an off-state or in an on-state when a software rewriting request is made from the outside of the vehicle or from within the vehicle; a resetting means (46) that resets a microcontroller of the electronic control device if the ignition is in the off-state; and a rewriting means (48) that rewrites the software in the storage unit if the ignition is in the on-state.

Description

電子制御装置、ソフトウェア書き換えシステムElectronic control device, software rewriting system
 本発明は、記憶部に記憶されているソフトウェアを外部から送信されたソフトウェアで更新する電子制御装置等に関する。 The present invention relates to an electronic control device that updates software stored in a storage unit with software transmitted from the outside.
 車載される多くの装置は電子制御装置により制御される。車両によっては数十個以上の電子制御装置が搭載される場合があり、それぞれがエンジン、ブレーキ、パワーステアリング、トランスミッション、ドアロック、ナビゲーション装置などを制御している。各電子制御装置はネットワークを介して互いに通信してシステムとして作動したり、互いに協調制御したりする。 Many devices mounted on the vehicle are controlled by an electronic control device. Depending on the vehicle, several tens or more electronic control devices may be mounted, and each controls an engine, a brake, a power steering, a transmission, a door lock, a navigation device, and the like. Each electronic control unit communicates with each other via a network and operates as a system or performs coordinated control with each other.
 電子制御装置はマイコンを有しており、マイコンがプログラムを実行することで各種の制御を行っている。このプログラムは不揮発性のメモリに記憶されているが、車両の出荷後にプログラムをバージョンアップ可能なように、外部から不揮発性のメモリに記憶されたプログラムが書き換えられることが可能になっている。 The electronic control device has a microcomputer, and the microcomputer performs various controls by executing programs. Although this program is stored in a nonvolatile memory, the program stored in the nonvolatile memory can be rewritten from the outside so that the program can be upgraded after shipment of the vehicle.
 しかしながら、プログラムの書き換えが正常に完了しないと車載装置の制御が困難になるため、従来からプログラムを正常に書き換えるための技術が考案されている(例えば、特許文献1参照。)。特許文献1には、プログラムの書き換え中、イグニッション・スイッチがONかOFFかを監視し、イグニッション・スイッチがOFFの場合、書き換え処理を中止すると共に、他の電子制御装置へ故障検知の停止命令を行う書き換え装置が開示されている。これにより、電子制御装置のプログラムの書き換え中に誤って電源が遮断された場合であっても、再度電源を投入することにより、書き換えを行うことができる一方、故障検知を停止することができる。
特開2010-026623号公報 However, if the rewriting of the program is not completed normally, it becomes difficult to control the in-vehicle device. Therefore, a technique for rewriting the program normally has been devised (for example, see Patent Document 1). Patent Document 1 monitors whether the ignition switch is ON or OFF during rewriting of the program. If the ignition switch is OFF, the rewriting process is stopped and a failure detection stop command is issued to another electronic control unit. A rewriting device to perform is disclosed. Thereby, even if the power is accidentally shut off during rewriting of the program of the electronic control device, rewriting can be performed by turning on the power again, while failure detection can be stopped.
JP 2010-026623 A
 しかしながら、特許文献1に記載された書き換え装置は、書き換え処理を中止した後、書き換えを再開するために、イグニッション・スイッチの状態判定処理を実行し続けるため、バッテリ電力が消費され続けるという問題がある。すなわち、イグニッション・スイッチがOFFでも動作するマイコン(常時電源系マイコン)の場合、プログラムの書き換えモードで停滞してしまい、ユーザやサービスマンが気づいてバッテリを外すまで電源供給されることでバッテリ上がりとなるおそれがある。 However, the rewriting device described in Patent Document 1 has a problem in that battery power continues to be consumed because the ignition switch state determination process is continuously performed in order to resume the rewriting after the rewriting process is stopped. . In other words, in the case of a microcomputer that operates even when the ignition switch is OFF (always power supply system microcomputer), it stays stuck in the program rewrite mode, and power is supplied until the user or service person notices that the battery is removed, and the battery runs out. There is a risk.
 また、特許文献1では書き換え処理の中止後、イグニッション・スイッチがONにならない限り、書き換え処理を再開できない。例えば、バッテリ電圧の低下で瞬間的に車両がIG-OFFになった時にイグニッション・スイッチに固着異常(イグニッション・スイッチがOFFのままになる異常)が生じた場合、電子制御装置は書き換え処理が中止された状態で停滞する。また、例えば、電源遷移を制御している電子制御装置が書き換え対象の場合、バッテリ電圧低下で瞬間的にIG-OFFになると、電子制御装置は書き換え処理が中止された状態で停滞する。書き換え処理が中止された状態で停滞すると、最悪の場合、電子制御装置の交換が必要になる。 In Patent Document 1, after the rewrite process is stopped, the rewrite process cannot be resumed unless the ignition switch is turned on. For example, if the ignition switch is stuck abnormally (the ignition switch remains off) when the vehicle is momentarily turned off due to a drop in battery voltage, the electronic control unit stops the rewriting process. Stagnated in the state of being. Further, for example, when the electronic control device that controls the power supply transition is to be rewritten, if the IG-OFF is instantaneously turned off due to the battery voltage drop, the electronic control device stagnates in a state where the rewrite processing is stopped. In the worst case, the electronic control device needs to be replaced if the rewriting process is stopped in a stopped state.
 また、特許文献1に記載の書き換え装置では、書き換え装置側がイグニッション・スイッチのON/OFFの判定及び書き換え処理の中止を行うため、電子制御装置の種類が増える毎に書き換え装置の開発が必要になる。 Further, in the rewriting device described in Patent Document 1, since the rewriting device side determines whether the ignition switch is ON / OFF and cancels the rewriting process, it is necessary to develop the rewriting device every time the type of electronic control device increases. .
 本発明は上記課題に鑑み、プログラムの書き換えモードで異常が生じてもそのまま停滞することを回避可能な車載制御装置を提供することを目的とする。 In view of the above problems, an object of the present invention is to provide an in-vehicle control device capable of avoiding a stagnation even if an abnormality occurs in a program rewrite mode.
 上記課題に鑑み、本発明は、記憶部に記憶されているソフトウェアを車両外部から送信されたソフトウェアで更新する電子制御装置であって、車両外部又は車両内部からソフトウェアの書き換え要求があった場合に、イグニッションがON状態かOFF状態かを判定する判定手段と、イグニッションがOFF状態の場合、当該電子制御装置のマイコンをリセットするリセット手段と、イグニッションがON状態の場合、前記記憶部のソフトウェアの書き換えを行う書き換え手段と、を有することを特徴とする。 In view of the above problems, the present invention is an electronic control device that updates software stored in a storage unit with software transmitted from the outside of the vehicle, and when there is a software rewrite request from outside or inside the vehicle. Determining means for determining whether the ignition is ON or OFF; reset means for resetting the microcomputer of the electronic control device when the ignition is OFF; and rewriting the software in the storage unit when the ignition is ON Rewriting means for performing.
 本発明によれば、プログラムの書き換えモードで異常が生じてもそのまま停滞することを回避可能な車載制御装置を提供することができる。 According to the present invention, it is possible to provide an in-vehicle control device capable of avoiding a stagnation as it is even if an abnormality occurs in a program rewrite mode.
マイコンがプログラムを更新する手順の概略を説明するフローチャート図の一例である。It is an example of the flowchart figure explaining the outline of the procedure in which a microcomputer updates a program. システム構成図の一例である。It is an example of a system configuration diagram. プログラムOLDと書き換えプログラムの機能ブロック図の一例である。It is an example of a functional block diagram of a program OLD and a rewrite program. 従来の電子制御装置のプログラムの書き換え手順を示すフローチャート図の一例である。It is an example of the flowchart figure which shows the rewriting procedure of the program of the conventional electronic control apparatus. 従来の電子制御装置のプログラムの書き換え手順により生じる不都合を説明するフローチャート図の一例である。It is an example of the flowchart figure explaining the problem which arises by the rewriting procedure of the program of the conventional electronic control apparatus. 従来の電子制御装置のプログラムの書き換え手順により生じる別の不都合を説明するフローチャート図の一例である。It is an example of the flowchart figure explaining another inconvenience which arises by the rewriting procedure of the program of the conventional electronic control apparatus. 本実施形態の電子制御装置のプログラムの書き換え手順を説明するフローチャート図の一例である。It is an example of the flowchart figure explaining the rewriting procedure of the program of the electronic controller of this embodiment. 電子制御装置のプログラムの書き換え手順の変形例を説明するフローチャート図の一例である。It is an example of the flowchart figure explaining the modification of the rewriting procedure of the program of an electronic controller. 電子制御装置のプログラムの書き換え手順を説明するフローチャート図の一例である(実施例2)。FIG. 10 is an example of a flowchart for explaining a program rewriting procedure of the electronic control device (second embodiment);
 11  マイコン
 12  IC
 21  CPU
 23  フラッシュメモリ
 50  ツール
 100 電子制御装置 11 Microcomputer 12 IC
21 CPU
23 Flash memory 50 Tool 100 Electronic control unit
 以下、本発明を実施するための形態について図面を参照しながら実施例を挙げて説明する。 Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.
 〔本実施形態の書き換え動作の概略〕
 図1は、本実施形態のマイコンがプログラムを更新する手順の概略を説明するフローチャート図の一例である。本実施形態のマイコンは、IG(イグニッション)-ON状態でプログラムが書き換えられることが推奨されているものとする。 [Outline of Rewrite Operation of this Embodiment]
FIG. 1 is an example of a flowchart for explaining an outline of a procedure for updating a program by the microcomputer according to the present embodiment. In the microcomputer of this embodiment, it is recommended that the program be rewritten in the IG (ignition) -ON state.
 S1:マイコンはリセットが解除されると、正常動作モードで動作する。正常動作モードは、電子制御装置が書き換え対象のプログラムを実行して車載装置を制御する動作モードである。マイコンは、後述するツールからの書き換え要求がない場合、正常動作モードを繰り返し実行している。正常動作モードでは、IG-OFF状態になると、低消費電力モードに移行するためバッテリ電力を大きく消費することはない。 S1: The microcomputer operates in the normal operation mode when the reset is released. The normal operation mode is an operation mode in which the electronic control device executes the program to be rewritten and controls the in-vehicle device. The microcomputer repeatedly executes the normal operation mode when there is no rewrite request from a tool described later. In the normal operation mode, when the IG-OFF state is entered, the battery power is not consumed greatly because the mode is shifted to the low power consumption mode.
 S2:マイコンはツールからの書き換え要求を受信すると所定の認証を行い、認証が成立するとマイコンはプログラム書き換えモードに移行する。 S2: The microcomputer performs predetermined authentication when it receives a rewrite request from the tool, and when authentication is established, the microcomputer shifts to a program rewrite mode.
 S3:本実施形態のマイコンは、プログラム書き換えモードに移行した後、エンジン運転状態がIG-ON状態か否かを判定する。プログラム書き換えモードに移行した後とは、書き換えが始まる前のタイミングを言う。換言すると、正常動作モードからプログラム書き換えモードに移行する過程、プログラム書き換えモードへの移行時、又は、プログラム書き換えモードに移行した直後と表現できる。 S3: The microcomputer of the present embodiment determines whether or not the engine operating state is the IG-ON state after shifting to the program rewriting mode. After shifting to the program rewrite mode means the timing before the rewrite starts. In other words, it can be expressed as a process of shifting from the normal operation mode to the program rewriting mode, at the time of shifting to the program rewriting mode, or immediately after shifting to the program rewriting mode.
 S4:プログラム書き換えモードに移行直後、IG-ON状態の場合、正常に書き換え可能であると判定して、マイコンは書き換えを開始する。書き換え完了後はリセットされ、正常動作モードで起動する。 S4: Immediately after shifting to the program rewrite mode, in the IG-ON state, it is determined that rewriting is possible normally, and the microcomputer starts rewriting. It is reset after rewriting is completed and starts in normal operation mode.
 S5:一方、プログラム書き換えモードに移行直後、IG-OFF状態の場合、マイコンはマイコンをリセットする。すなわち、IG-OFF状態ではプログラム書き換えモードに移行すべきでなく、また、プログラム書き換えモードに移行直後のIG-OFFはツールなどでも検出が困難なので、IG-OFF状態の場合にはマイコンが自身をリセットすることで正常動作モードに復帰させる。正常動作モードではIG-OFF状態で低消費電力モードに移行するので、IG-OFF状態であってもバッテリ上がりを防止できる。 S5: On the other hand, immediately after shifting to the program rewrite mode, the microcomputer resets the microcomputer in the IG-OFF state. That is, in the IG-OFF state, the program rewrite mode should not be entered, and the IG-OFF immediately after entering the program rewrite mode is difficult to detect with a tool or the like. Reset to normal operation mode. Since the normal operation mode shifts to the low power consumption mode in the IG-OFF state, it is possible to prevent the battery from running up even in the IG-OFF state.
  〔構成例〕
 図2は、システム構成図の一例である。車両には1つ以上の電子制御装置(ECU:Electronic Control Unit)100が搭載されている。各電子制御装置はバッテリの電力で動作するが、本実施形態の電子制御装置100はIG-OFF状態でもバッテリから常時、電力が供給される。IG-OFF状態では電力が供給されない電子制御装置100ではバッテリが上がるという課題が発生しないためである。しかしながら、IG-OFF状態では電力が供給されない電子制御装置100に本実施形態で説明する書き換えプログラムを適用することは可能である。 [Configuration example]
FIG. 2 is an example of a system configuration diagram. One or more electronic control units (ECUs) 100 are mounted on the vehicle. Each electronic control unit operates with battery power, but the electronic control unit 100 according to the present embodiment is always supplied with power from the battery even in the IG-OFF state. This is because in the IG-OFF state, the electronic control device 100 to which power is not supplied does not cause a problem that the battery goes up. However, it is possible to apply the rewriting program described in this embodiment to the electronic control device 100 to which power is not supplied in the IG-OFF state.
 電子制御装置100とツール50はCANバス14を介して接続されている。CANバス14は、車外のツール50が接続されるためのDLC(データリンクコネクタ)コネクタ15を有しており、ツール50はDLCコネクタ15を介して電子制御装置100と通信する。なお、DLCコネクタ15は例えば運転席のメータパネルの右下などに配置されている。 The electronic control device 100 and the tool 50 are connected via the CAN bus 14. The CAN bus 14 has a DLC (data link connector) connector 15 for connecting a tool 50 outside the vehicle, and the tool 50 communicates with the electronic control unit 100 via the DLC connector 15. The DLC connector 15 is disposed, for example, at the lower right of the meter panel of the driver's seat.
 運転者は定期点検時や車両の不具合を把握すると車両をディーラーに持ち込むので、一般にサービスマンがツール50をDLCコネクタ15に接続する。サービスマンがツール50を操作することでプログラムの書き換えが開始される。サービスマン以外に運転者などが書き換えを行うこともあり、主体は問わないが以下ではサービスマンが書き換えするものとして説明する。 The driver brings the vehicle to the dealer when he / she knows the malfunction of the vehicle during periodic inspections, and the service person generally connects the tool 50 to the DLC connector 15. When the service person operates the tool 50, rewriting of the program is started. A driver or the like may rewrite in addition to the service person, and the subject is not limited.
 車載される電子制御装置100には、例えばメータECU、エンジンECU、HV(hybrid)-ECU、ブレーキECU、電源制御ECU、トランスミッションECU、ゲートウェイ、ボディECU、ナビ制御用ECU、電動パワステECU、照合ECU、エアコンECU、前照灯ECU、カメラECU、及び、障害物検知用の電子制御装置100などがある。これらの電子制御装置100の呼称は一例でありこの他の電子制御装置100に適用されてもよいし、このうちの一部又は全部に適用されてもよい。 For example, a meter ECU, an engine ECU, an HV (hybrid) -ECU, a brake ECU, a power supply control ECU, a transmission ECU, a gateway, a body ECU, a navigation control ECU, an electric power steering ECU, a verification ECU There are an air conditioner ECU, a headlight ECU, a camera ECU, an electronic control device 100 for detecting an obstacle, and the like. The names of these electronic control devices 100 are examples, and may be applied to other electronic control devices 100, or may be applied to some or all of them.
 電子制御装置100は主にマイコン11、電源回路13、及び、IC12を有している。電源回路13はバッテリ16の電力を降圧するコンバータであり、定電圧をマイコン11とIC12の端子に供給する(いずれも不図示)。 The electronic control device 100 mainly includes a microcomputer 11, a power supply circuit 13, and an IC 12. The power supply circuit 13 is a converter that steps down the power of the battery 16 and supplies a constant voltage to terminals of the microcomputer 11 and the IC 12 (both not shown).
 マイコン11は、バスに接続されたCPU21、キャッシュメモリ22、フラッシュメモリ23、CANコントローラ24、RAM25、及び、I/O26を有する。 The microcomputer 11 includes a CPU 21, a cache memory 22, a flash memory 23, a CAN controller 24, a RAM 25, and an I / O 26 connected to a bus.
 CPU21は、正常動作モードでは、フラッシュメモリ23に記憶されたプログラムOLD32(以下、符号は省略する)を実行して、書き換えモードではフラッシュメモリ23に記憶された書き換えプログラム34を実行する。プログラムOLDは、電子制御装置100に特有の処理を実行するためのプログラムであり、マイコン11はプログラムOLDを実行して例えばセンサの検出した信号の処理、演算、アクチュエータの制御等を実行する。プログラムOLDとプログラムNEWは特許請求の範囲のソフトウェアの一例である。ソフトウェアにはプログラムと呼ばれるものの他ファームウェアなど、CPU21が行う処理が記述されたものが含まれる。 In the normal operation mode, the CPU 21 executes a program OLD 32 (hereinafter, not shown) stored in the flash memory 23, and executes a rewrite program 34 stored in the flash memory 23 in the rewrite mode. The program OLD is a program for executing processing unique to the electronic control apparatus 100, and the microcomputer 11 executes the program OLD to execute, for example, processing of signals detected by sensors, calculation, control of actuators, and the like. The program OLD and the program NEW are examples of the claimed software. In addition to what is called a program, the software includes software describing processing performed by the CPU 21, such as firmware.
 また、マイコン11は書き換えプログラム34(以下、符号は省略する)を実行して、プログラムOLDをプログラムNEWで更新する。プログラムOLD32に書き換えプログラムを含めておき、プログラム書き換え時には、書き換えプログラムを書き換え対象外のメモリに退避させてもよい。 Further, the microcomputer 11 executes a rewriting program 34 (hereinafter, reference numerals are omitted), and updates the program OLD with the program NEW. A rewriting program may be included in the program OLD32, and the rewriting program may be saved in a memory other than the rewriting target at the time of rewriting the program.
 キャッシュメモリ22は、フラッシュメモリ23に記憶されたプログラムOLD又は書き換えプログラムの一部のコピーを記憶する高速小容量の記憶素子(例えば、SRAM(Static RAM))である。CPU21はキャッシュメモリ22を介してフラッシュメモリ23にアクセスする。キャッシュメモリ22にCPU21が指定したアドレスが記憶されていない場合、キャッシュメモリ22がページフォールトを発生するので、CPU21はフラッシュメモリ23からプログラム(プログラムOLD又は書き換えプログラム)を読み出すと共にキャッシュメモリ22に書き込む。 The cache memory 22 is a high-speed and small-capacity storage element (for example, SRAM (Static RAM)) that stores a copy of a part of the program OLD or rewrite program stored in the flash memory 23. The CPU 21 accesses the flash memory 23 via the cache memory 22. When the address specified by the CPU 21 is not stored in the cache memory 22, the cache memory 22 generates a page fault. Therefore, the CPU 21 reads a program (program OLD or rewrite program) from the flash memory 23 and writes it to the cache memory 22.
 なお、図ではCPU21の外部にキャッシュメモリ22が記載されているが、キャッシュメモリ22はCPU21に内蔵されていてもよい。また、キャッシュメモリ22が複数存在し、CPU21から近い順に1次キャッシュ~3次キャッシュと呼ばれるキャッシュメモリ22を有するマイコン11も存在する。本実施例では、CPU21の内外のいずれにキャッシュメモリ22が配置されていてもよい。 In addition, although the cache memory 22 is described outside the CPU 21 in the figure, the cache memory 22 may be built in the CPU 21. There is also a microcomputer 11 having a plurality of cache memories 22 and having a cache memory 22 called a primary cache to a tertiary cache in the order closer to the CPU 21. In this embodiment, the cache memory 22 may be arranged either inside or outside the CPU 21.
 RAM25は、CPU21がプログラムOLD又は書き換えプログラムを実行する際の作業メモリとなる。正常動作モードでは、センサ信号や他の電子制御装置から受信したデータが保存されたり、演算結果が保存されたり、他の電子制御装置に送信するデータが保存されたりする。書き換えモードでは、ツール50から送信されたプログラムNEWが一時保存される。なお、書き換えモードにおいて、ツール50から送信されたプログラムNEWがRAM25ではなくキャッシュメモリ22に一時保存されるマイコン11がある。本実施形態では、どちらに記憶されてもよいものとする。 The RAM 25 serves as a working memory when the CPU 21 executes the program OLD or the rewrite program. In the normal operation mode, sensor signals and data received from other electronic control devices are stored, calculation results are stored, and data to be transmitted to other electronic control devices is stored. In the rewrite mode, the program NEW transmitted from the tool 50 is temporarily stored. In the rewrite mode, there is the microcomputer 11 in which the program NEW transmitted from the tool 50 is temporarily stored in the cache memory 22 instead of the RAM 25. In this embodiment, it may be stored in either.
 フラッシュメモリ23は、書き換え可能な不揮発メモリの一例であり、フラッシュメモリ23でなくても書き換え可能な不揮発メモリであればよい。書き換え可能な不揮発メモリとしては、例えば、EEPROM、FeRAM(Ferroelectric Random Access Memory)、MRAM(Magnetoresistive Random Access Memory)等がある。 The flash memory 23 is an example of a rewritable nonvolatile memory, and may be a rewritable nonvolatile memory instead of the flash memory 23. Examples of rewritable nonvolatile memory include EEPROM, FeRAM (Ferroelectric Random Access Memory), MRAM (Magnetoresistive Random Access Memory), and the like.
 CANコントローラ24はCANバス14に接続されており、CANプロトコルに従ってツール50からプログラムNEWを受信する。CANプロトコルは一例であって、FlexRay、Ethernet(登録商標)、MOST、LINなどでもよい。また、ツール50と電子制御装置100を物理的に接続するのでなく、例えば、無線LANやBluetooth(登録商標)などの無線通信で接続してもよい。さらに、公衆の携帯電話網や無線LAN網を経由して不図示のサーバと通信し、サーバからプログラムNEWをダウンロードしてもよい。 The CAN controller 24 is connected to the CAN bus 14 and receives a program NEW from the tool 50 according to the CAN protocol. The CAN protocol is an example, and may be FlexRay, Ethernet (registered trademark), MOST, LIN, or the like. Further, instead of physically connecting the tool 50 and the electronic control device 100, for example, they may be connected by wireless communication such as wireless LAN or Bluetooth (registered trademark). Further, the program NEW may be downloaded from the server by communicating with a server (not shown) via a public mobile phone network or a wireless LAN network.
 I/O26は例えばUART(Universal Asynchronous Receiver Transmitter)やSPI(Serial Peripheral Interface)などの入出力インタフェースである。CPU21は、I/O26を介してIC12にプログラムの書き換えが可能か否かを問い合わせたり、マイコン11のリセットを要求したりする。また、CPU21はI/O26を介してIC12からプログラムの書き換えの許可を取得する。 The I / O 26 is an input / output interface such as UART (Universal Asynchronous Receiver Transmitter) or SPI (Serial Peripheral Interface). The CPU 21 inquires whether the program can be rewritten to the IC 12 via the I / O 26 or requests the microcomputer 11 to be reset. Further, the CPU 21 obtains permission for program rewriting from the IC 12 via the I / O 26.
 続いてIC12について説明する。IC12は、マイコン11をリセットしたり、プログラムの書き換えが可能か否かを判定して書き換えを許可したりする。IC12は、マイコン11から判定要求を取得すると、マイコン11がプログラムOLDの書き換えが可能な状態か否かを判定する。判定内容はマイコン11によって様々であるが、例えば、バッテリ電圧が閾値以上か否か、マイコン11に異常がないかなどである。 Subsequently, the IC 12 will be described. The IC 12 resets the microcomputer 11 or determines whether or not the program can be rewritten and permits the rewriting. When the IC 12 obtains the determination request from the microcomputer 11, it determines whether the microcomputer 11 is in a state where the program OLD can be rewritten. The contents of the determination vary depending on the microcomputer 11, for example, whether or not the battery voltage is equal to or higher than a threshold value or whether or not the microcomputer 11 has an abnormality.
 IC12は、判定結果をI/O26に出力すると共に、例えば、マイコン11のモードSW27と接続された信号線をHighにする。これにより、モードSW27がONとなる。モードSW27はマイコン11のリセットでOFFとなる。マイコン11はIC12からの書き換えの許可を取得し、かつ、モードSW27がONの間、プログラム書き込みモードになる。なお、書き換えの許可又はモードSW27がONのいずれかに応じてプログラム書き込みモードになってもよい。また、IC12に問い合わせることなくプログラム書き換えモードになってもよい。IC12のこのような動作は一例にすぎず、このような動作に限定されるものではない。 The IC 12 outputs the determination result to the I / O 26 and, for example, sets the signal line connected to the mode SW 27 of the microcomputer 11 to High. Thereby, the mode SW27 is turned on. The mode SW27 is turned off when the microcomputer 11 is reset. The microcomputer 11 obtains rewrite permission from the IC 12 and enters the program writing mode while the mode SW 27 is ON. It should be noted that the program write mode may be entered in accordance with either rewriting permission or mode SW27 being ON. Alternatively, the program rewrite mode may be entered without inquiring of the IC 12. Such an operation of the IC 12 is merely an example, and is not limited to such an operation.
 また、IC12はマイコン11をリセットする機能を有する。リセットとは、マイコン11を強制的に起動しなおして再び始動の状態に戻すことをいう。より具体的には、リセット解除によりマイコン11は再起動する。IC12が有するリセット回路は、電源回路13が生成した定電圧Vccと接続された抵抗121、コンデンサ122、及び、スイッチ123を有している。スイッチ123がONの場合、マイコン11のRES#28はLowになりマイコン11は記憶内容などが初期化された状態になる。スイッチ123がOFFの場合、定電圧Vccがマイコン11のRES#28に入力されRES#28はHighとなりリセットは解除される。 Also, the IC 12 has a function of resetting the microcomputer 11. Reset means that the microcomputer 11 is forcibly restarted and returned to the starting state. More specifically, the microcomputer 11 is restarted by reset release. The reset circuit included in the IC 12 includes a resistor 121 connected to the constant voltage Vcc generated by the power supply circuit 13, a capacitor 122, and a switch 123. When the switch 123 is ON, RES # 28 of the microcomputer 11 becomes Low, and the microcomputer 11 is in a state in which the stored contents are initialized. When the switch 123 is OFF, the constant voltage Vcc is input to the RES # 28 of the microcomputer 11, the RES # 28 becomes High, and the reset is released.
 なお、IC12がマイコン11をリセットするのでなく、マイコン11が自身を直接、リセットしてもよい。この場合、マイコン11にリセット回路のスイッチ123が接続されており、マイコン11がスイッチ123をONすることでリセットできる。 Note that, instead of the IC 12 resetting the microcomputer 11, the microcomputer 11 may directly reset itself. In this case, a reset circuit switch 123 is connected to the microcomputer 11, and the microcomputer 11 can be reset by turning on the switch 123.
 続いて、ツール50について説明する。ツール50は情報処理装置を実体とし、不図示のCPU、ROM、RAM、I/Oなどを有している。サービスマンがツール50から延設されているケーブルをDLCコネクタ15に接続することで、CANコントローラ24がCANバス14に接続される。ツール50のメモリにはプログラムNEW31(以下、符号は省略する)が記憶されている。プログラムNEWは、電子制御装置100のプログラムOLDと置き換えられるプログラムである。 Subsequently, the tool 50 will be described. The tool 50 is an information processing apparatus, and includes a CPU, a ROM, a RAM, an I / O, and the like (not shown). When the serviceman connects the cable extending from the tool 50 to the DLC connector 15, the CAN controller 24 is connected to the CAN bus 14. In the memory of the tool 50, a program NEW31 (hereinafter, reference numerals are omitted) is stored. The program NEW is a program that can be replaced with the program OLD of the electronic control device 100.
 サービスマンは書き換え作業の前に、USBメモリなどの記憶媒体で配布されるプログラムNEWをツール50のROMやRAMにコピーしておく。または、ツール50をPC(Personal Computer)に接続し、PCがインターネットを介してサーバからダウンロードしたプログラムNEWをツール50にコピーしてもよい。または、PCをツール本体としてもよい。 The service person copies the program NEW distributed on a storage medium such as a USB memory to the ROM or RAM of the tool 50 before the rewriting work. Alternatively, the tool 50 may be connected to a PC (Personal Computer), and the program NEW downloaded from the server by the PC via the Internet may be copied to the tool 50. Alternatively, the PC may be a tool body.
 〔プログラムOLD、書き換えプログラムの機能について〕
 図3は、プログラムOLDと書き換えプログラムの機能ブロック図の一例を示す。プログラムOLDは正常動作モードで実行され、書き換えプログラムは書き換えモードで実行される。プログラムOLDのうち正誤判定部42はマイコン11のリセット直後に正常か否かを判定するために実行されるので、正常動作モードに含めなくてもよい。 [Functions of program OLD and rewrite program]
FIG. 3 shows an example of a functional block diagram of the program OLD and the rewrite program. The program OLD is executed in the normal operation mode, and the rewrite program is executed in the rewrite mode. In the program OLD, the correctness / incorrectness determination unit 42 is executed to determine whether or not the microcomputer 11 is normal immediately after the resetting of the microcomputer 11, and thus may not be included in the normal operation mode.
 正誤判定部42は、マイコン11のリセットが解除された直後に実行される。正誤判定部42は、フラッシュメモリ23に記憶されている少なくともプログラムOLDが正常か否かを判定するプログラムである。プログラムOLDに加え、書き換えプログラムが正常か否かを判定してもよいし、フラッシュメモリ23の全体が正常か否かを判定してもよい。 The correctness determination unit 42 is executed immediately after the reset of the microcomputer 11 is released. The correctness determination unit 42 is a program that determines whether at least the program OLD stored in the flash memory 23 is normal. In addition to the program OLD, it may be determined whether or not the rewrite program is normal, or it may be determined whether or not the entire flash memory 23 is normal.
 リセットが解除されマイコン11が起動すると、正誤判定部42はプログラムOLDがノイズなどでビット反転していないか否かを判定する。判定方法はどのようなものでもよいが、例えばチェックサム、CRC、MD5(Message Digest Algorithm 5)などがある。 When the reset is released and the microcomputer 11 is activated, the correctness determination unit 42 determines whether the program OLD is bit-inverted due to noise or the like. Any determination method may be used, for example, checksum, CRC, MD5 (Message Digest Algorithm 5).
 車両制御部41は、電子制御装置100に接続された車載装置を制御するもので、センサなどを用いたセンシング、他の電子制御装置からのデータの受信、演算、及び、アクチュエータの制御などを行う。ツール50から「書き換え要求」が送信されるまでの間、又は、異常が検出されるような特殊な状況以外では、車両制御部41は周期的に処理を繰り返す。「書き換え要求」は、例えばプログラムの書き換えを要求する情報であり、コマンド、データ又は信号など、どのような態様で送信されてもよい。また、ECUやプログラムを指定する情報を含んでいてもよい。 The vehicle control unit 41 controls an in-vehicle device connected to the electronic control device 100, and performs sensing using a sensor, reception of data from other electronic control devices, calculation, control of an actuator, and the like. . Until the “rewrite request” is transmitted from the tool 50, or except in a special situation where an abnormality is detected, the vehicle control unit 41 periodically repeats the process. The “rewrite request” is information for requesting rewriting of a program, for example, and may be transmitted in any manner such as a command, data, or signal. Moreover, the information which designates ECU and a program may be included.
 なお、プログラムNEWがサーバからダウンロードされ任意の電子制御装置が一時的に保持したり、ツール50から送信されたプログラムNEWを任意の電子制御装置が一時的に保持したりする場合がある。この場合、任意の電子制御装置は電子制御装置100のフラッシュメモリ23のプログラムOLDの書き換えを制御するため、「書き換え要求」を出力する場合がある。したがって、「書き換え要求」はツール50以外の車両内部からも送信される場合がある。 In some cases, the program NEW is downloaded from the server and temporarily held by an arbitrary electronic control device, or the program NEW transmitted from the tool 50 is temporarily held by an arbitrary electronic control device. In this case, an arbitrary electronic control device may output a “rewrite request” in order to control rewriting of the program OLD in the flash memory 23 of the electronic control device 100. Therefore, the “rewrite request” may be transmitted from inside the vehicle other than the tool 50.
 ツール50から「書き換え要求」を受信すると、車両制御部41は書き換え判定部43に対し、プログラムOLDの書き換え条件を満たすか否かの判定を要求する。この判定は、IC12による判定と同様な内容に加え、CPU21の負荷が高いか否か、異常の有無などが含まれる。プログラムOLDの書き換え条件を満たすと判定した場合、書き換え判定部43はIC12に判定要求を出力する。これにより、IC12はモードSW27をONにし、判定結果をマイコン11に返す。 When the “rewrite request” is received from the tool 50, the vehicle control unit 41 requests the rewrite determination unit 43 to determine whether or not the rewrite condition of the program OLD is satisfied. This determination includes, in addition to the same contents as the determination by the IC 12, whether or not the load on the CPU 21 is high and whether or not there is an abnormality. When it is determined that the rewrite condition of the program OLD is satisfied, the rewrite determination unit 43 outputs a determination request to the IC 12. Accordingly, the IC 12 turns on the mode SW 27 and returns the determination result to the microcomputer 11.
 書き換え判定部43はモードSW27の状態と判定結果を参照して、書き換えプログラム起動部44を呼び出す。書き換えプログラム起動部44は、CPU21のPC(プログラムカウンタ)に書き換えプログラムの先頭アドレスをセットする。こうすることで、CPU21が書き換えプログラムを実行でき、以下の書き換えプログラムの機能が実現される。 The rewrite determining unit 43 calls the rewrite program starting unit 44 with reference to the state of the mode SW 27 and the determination result. The rewrite program starting unit 44 sets the start address of the rewrite program in the PC (program counter) of the CPU 21. By doing so, the CPU 21 can execute the rewrite program, and the following rewrite program functions are realized.
 書き換えプログラムは、IG判定部45、書き換え部48、リセット部46、及び、正誤判定部47を有している。IG判定部45は従来技術に対する本実施形態の特徴部の1つである。IG判定部45は、書き換え部48が書き換えを開始する前にIG-ON状態かOFF状態かを判定する。IG-ONかOFFかは例えば電子制御装置100のIGSW端子の電圧を監視すればよい。 The rewrite program includes an IG determination unit 45, a rewrite unit 48, a reset unit 46, and a correctness determination unit 47. The IG determination part 45 is one of the characteristic parts of this embodiment with respect to the prior art. The IG determination unit 45 determines whether the IG-ON state or the OFF state before the rewriting unit 48 starts rewriting. Whether IG-ON or OFF may be monitored, for example, by monitoring the voltage of the IGSW terminal of the electronic control device 100.
 リセット部46は以下の場合にIC12にマイコン11のリセットを要求する。
・プログラム書き換えモードに移行した後、IG-ON状態でない場合
・書き換えが正常に終了した場合
 このうち、IG-ON状態でない場合のリセットが従来技術に対する本実施形態の特徴の1つである。 The reset unit 46 requests the IC 12 to reset the microcomputer 11 in the following cases.
-When not in the IG-ON state after shifting to the program rewrite mode-When the rewrite is completed normally Among these, resetting when not in the IG-ON state is one of the features of this embodiment with respect to the prior art.
 書き換え部48は、CANバス経由でツール50から受信したプログラムNEWを作業メモリであるRAM25に格納していき、また、RAM25からフラッシュメモリ23にプログラムNEWを書き込んでいく。フラッシュメモリ23の書き換えは、プログラムOLDだけでもよいし、フラッシュメモリ23の全体を書き換えてもよい。全体を書き換える場合、マイコン11は予め書き換えプログラムをRAM25などに転送しておく。 The rewriting unit 48 stores the program NEW received from the tool 50 via the CAN bus in the RAM 25 which is a working memory, and writes the program NEW from the RAM 25 to the flash memory 23. The flash memory 23 may be rewritten only by the program OLD, or the entire flash memory 23 may be rewritten. When rewriting the whole, the microcomputer 11 transfers the rewriting program to the RAM 25 or the like in advance.
 書き換え部48は、ツール50から書き換え終了コマンドを受信するまで、プログラムNEWの受信とRAM25への書き込み、RAM25からフラッシュメモリ23への転送を繰り返す。なお、フラッシュメモリ23のアドレスマップは既知なので、プログラムOLDのアドレス範囲にプログラムNEWを書き込めばよい。 The rewriting unit 48 repeats the reception of the program NEW, the writing to the RAM 25, and the transfer from the RAM 25 to the flash memory 23 until the rewriting end command is received from the tool 50. Since the address map of the flash memory 23 is known, the program NEW may be written in the address range of the program OLD.
 書き換えプログラムの正誤判定部47の機能はプログラムOLDのものと同じである。書き換えプログラムが正誤判定部47を有することで、書き換え完了後に正誤判定を行い、正常でない場合は再度、書き換えを行うことができる。 The function of the correctness / incorrectness determination unit 47 of the rewrite program is the same as that of the program OLD. Since the rewriting program has the correct / incorrect determination unit 47, correct / incorrect determination can be performed after rewriting is completed, and rewriting can be performed again when the rewriting program is not normal.
 〔動作手順〕
 まず、図4、5を用いて従来の動作手順と生じる課題について詳細に説明する。
A.従来の動作手順
 図4は従来の電子制御装置のプログラムの書き換え手順を示すフローチャート図の一例である。リセットが解除されると、正誤判定部42がフラッシュメモリ23の正誤判定を行う(S10)。リセットが解除されるのは、プログラムOLDの書き換え後のリセットの他、バッテリ16が接続された場合、異常が検出された場合などがある。 [Operation procedure]
First, the conventional operation procedure and the problems that occur will be described in detail with reference to FIGS.
A. Conventional Operation Procedure FIG. 4 is an example of a flowchart showing a program rewriting procedure of a conventional electronic control device. When the reset is released, the correctness determination unit 42 determines whether the flash memory 23 is correct (S10). The reset is released when the battery 16 is connected or when an abnormality is detected, in addition to reset after rewriting the program OLD.
 フラッシュメモリ23が正常な場合(S10のYes)、マイコン11は正常動作モードとなり車両制御部41が、当該電子制御装置100が行うべき車両制御を行う(S20)。 If the flash memory 23 is normal (Yes in S10), the microcomputer 11 is in a normal operation mode, and the vehicle control unit 41 performs vehicle control to be performed by the electronic control device 100 (S20).
 車両制御部41は、所定のサイクル時間毎に同じ処理を繰り返すが、その間にサービスマンがツール50を接続して書き換え要求を送信する場合がある。この場合、車両制御部41は書き換え判定部43に書き換え可能か否かを判定させる(S30)。 The vehicle control unit 41 repeats the same processing every predetermined cycle time, but in the meantime, the serviceman may connect the tool 50 and transmit a rewrite request. In this case, the vehicle control unit 41 causes the rewrite determination unit 43 to determine whether or not rewriting is possible (S30).
 書き換え要求が送信されない場合や、書き換え判定部43が書き換え可能でないと判定した場合(S30のNo)、車両制御部41が車両制御を継続する。 When the rewrite request is not transmitted or when the rewrite determination unit 43 determines that rewriting is not possible (No in S30), the vehicle control unit 41 continues vehicle control.
 書き換え判定部43が自らの判定とIC12からの判定結果に基づき、書き換え可能であると判定した場合(S30のYes)、書き換えプログラム起動部44が書き換えプログラムを起動する。これによりマイコン11はプログラム書き換えモードとなる。なお、正常に移行すれば、プログラム書き換えモードに移行した場合、モードSW27がONであるが、プログラム書き換えモードか否かはモードSW27のON/OFFを問わないものとする。 If the rewrite determination unit 43 determines that rewriting is possible based on its own determination and the determination result from the IC 12 (Yes in S30), the rewrite program activation unit 44 activates the rewrite program. As a result, the microcomputer 11 enters the program rewrite mode. Note that if the transition is successful, the mode SW 27 is ON when the program rewrite mode is transitioned to, but whether or not the program rewrite mode is selected does not matter whether the mode SW 27 is ON or OFF.
 従来の書き換えモードのマイコン11はIG-ON状態か否かを判定することなく、書き換え部48がツール50と通信してフラッシュメモリ23の書き換えを開始する(S40)。 The rewrite unit 48 communicates with the tool 50 and starts rewriting the flash memory 23 without determining whether or not the microcomputer 11 in the conventional rewrite mode is in the IG-ON state (S40).
 書き換えに当たり、ツール50から書き換え開始コマンドが送信され、これによりメモリの書き換えが始まる。 In rewriting, a rewrite start command is transmitted from the tool 50, and rewriting of the memory starts.
 書き換え部48は、ツール50から送信されたプログラムNEWの一部をフラッシュメモリ23に書き込みながら、書き換えが完了するまで次のプログラムNEWの一部をツール50に要求することを繰り返す(S50)。書き換えの完了は、ツール50からデータの終わり(EOF)を受信すること、書き換えの開始時に受け取ったデータ量の書き込みが終了すること、などにより判定される。 The rewriting unit 48 repeatedly requests the tool 50 for a part of the next program NEW until the rewriting is completed while writing a part of the program NEW transmitted from the tool 50 to the flash memory 23 (S50). Completion of rewriting is determined by receiving the end of data (EOF) from the tool 50, completion of writing of the amount of data received at the start of rewriting, and the like.
 書き換えが完了すると、書き換え部48はツール50から書き換え終了コマンドを受信する(S60)。これにより、ツール50との通信を終了できる。 When the rewriting is completed, the rewriting unit 48 receives a rewriting end command from the tool 50 (S60). Thereby, the communication with the tool 50 can be terminated.
 また、書き換えが完了すると、正誤判定部47がフラッシュメモリ23の正誤判定を行う(S70)。なお、ステップS70の正誤判定は必須ではない。 Further, when the rewriting is completed, the correctness determination unit 47 determines whether the flash memory 23 is correct (S70). In addition, the correctness determination of step S70 is not essential.
 フラッシュメモリ23が正常な場合(S70のYes)、リセット部46はIC12にマイコン11のリセットを要求するので、マイコン11がリセットされる(S80)。リセットが解除されるとステップS10以降の処理が繰り返されるので、正誤判定で正常であると判定され、マイコン11は正常動作モードとなる。 If the flash memory 23 is normal (Yes in S70), the reset unit 46 requests the IC 12 to reset the microcomputer 11, so that the microcomputer 11 is reset (S80). When the reset is released, the processing from step S10 onward is repeated, so that it is determined as normal by the correctness determination, and the microcomputer 11 enters the normal operation mode.
 フラッシュメモリ23が正常でない場合(S70のNo)、書き換えが失敗したため、書き換え部48は、再度、書き換えを実行される。 If the flash memory 23 is not normal (No in S70), the rewriting has failed, so the rewriting unit 48 executes the rewriting again.
 このように、マイコン11はプログラムOLDを書き換えると共に書き換えに失敗したことを検知して、再度書き換えることができる。 Thus, the microcomputer 11 can rewrite the program OLD, detect that the rewriting has failed, and rewrite it again.
 B.従来の動作手順の課題
図5Aは従来の電子制御装置のプログラムの書き換え手順により生じる不都合を説明するフローチャート図の一例である。 B. Problem of Conventional Operation Procedure FIG. 5A is an example of a flowchart for explaining inconveniences caused by a program rewriting procedure of a conventional electronic control apparatus.
 図4と同様に、書き換え判定部43が書き換えモードに移行可能であると判定したとする(S30)。この時、書き換え部48がツール50と通信してメモリの書き換えを始めるまでに遅延時間が生じる。サービスマンはツール50を操作しているが、何らかの理由で書き換え開始コマンドを送信する前にIG-OFFに操作する場合がある。IG-OFFに操作されても+B端子に電力が供給されるのでマイコン11は動作可能だが、プログラム書き換えモードに移行しているため、正常動作モードのように低消費電力モードに入ることができない。 As in FIG. 4, it is assumed that the rewrite determination unit 43 determines that the rewrite mode can be entered (S30). At this time, a delay time occurs until the rewriting unit 48 communicates with the tool 50 and starts rewriting the memory. The service person operates the tool 50, but may operate IG-OFF before transmitting the rewrite start command for some reason. Although power is supplied to the + B terminal even when operated to IG-OFF, the microcomputer 11 can operate, but since it has shifted to the program rewrite mode, it cannot enter the low power consumption mode as in the normal operation mode.
 また、書き換えが始まる前なのでツール50も車両の異常(IG-OFF)を検出できない。プログラム書き換えモードにおいても、ツール50が書き換え開始コマンドを送信した後にIG-OFF状態になった場合は、ツール50は書き換え条件が不成立であると判断して(IG-OFF状態であると判定して)リセットすることができたり、書き換えを完了できたりする場合がある。これらの場合は、ツール50はエラーを表示するので、ユーザは書き換えに失敗したことを把握できる。 Also, since rewriting is not started, the tool 50 cannot detect the vehicle abnormality (IG-OFF). Even in the program rewrite mode, when the tool 50 enters the IG-OFF state after transmitting the rewrite start command, the tool 50 determines that the rewrite conditions are not satisfied (determines that the IG-OFF state is established). ) It can be reset or rewriting can be completed. In these cases, the tool 50 displays an error, so that the user can grasp that rewriting has failed.
 したがって、書き換えが始まる前にIG-OFF状態になると、書き換えモードで停滞してバッテリ上がりにつながるおそれがあった。すなわち、仮にツール50が異常を検出しエラー表示しても、サービスマンは意図して書き換えを中断しているため、エラー表示に気づかない、又は、気に留めない可能性がある。この結果、バッテリ上がりにつながるおそれがある。 Therefore, if the IG-OFF state is entered before rewriting starts, there is a risk that the battery will run out due to stagnation in the rewriting mode. In other words, even if the tool 50 detects an abnormality and displays an error, the serviceman intentionally interrupts the rewriting, so the error display may not be noticed or noticed. As a result, the battery may run out.
 図5Bは従来の電子制御装置100のプログラムの書き換え手順により生じる別の不都合を説明するフローチャート図の一例である。図5BではすでにIG-OFF状態であるとする。 FIG. 5B is an example of a flowchart for explaining another inconvenience caused by the program rewriting procedure of the conventional electronic control device 100. In FIG. 5B, it is assumed that the state is already in the IG-OFF state.
 正常動作モードのマイコン11は車両制御を実行しているが、IG-OFFになっても低消費電力モードに移行するまでの間にプログラムOLDを実行している場合がある。また、低消費電力モードにおいても定期的に起動して異常の有無を監視するなどのためにプログラムOLDを実行する場合がある。このため、プログラムカウンタに異常が生じることで、CPU21が書き換えプログラムを実行するおそれがある。 Although the microcomputer 11 in the normal operation mode is executing vehicle control, there is a case where the program OLD is being executed before shifting to the low power consumption mode even when the IG-OFF is set. Also, the program OLD may be executed in order to monitor the presence / absence of abnormality by periodically starting even in the low power consumption mode. For this reason, there is a possibility that the CPU 21 executes the rewriting program due to an abnormality in the program counter.
 この場合、書き換えプログラムはツール50と通信してプログラムOLDを書き換えようとする。しかし、ツール50が接続されていないため、マイコン11は書き換えモードで停滞してしまい、低消費電力モードに入ることができない。このため、バッテリ上がりにつながるおそれがあった。 In this case, the rewrite program tries to rewrite the program OLD by communicating with the tool 50. However, since the tool 50 is not connected, the microcomputer 11 stagnates in the rewrite mode and cannot enter the low power consumption mode. For this reason, there existed a possibility of leading to a battery exhaustion.
 なお、IG-ON状態の間に誤って書き換えモードに移行した場合、運転者などが車内にいるため、挙動の違和感やメータの警報点灯などで気づくことができる。また、IG-ON状態では、ウォッチドッグタイマなどの機構でリセットすることができる場合がある。 In addition, if the driver accidentally shifts to the rewrite mode during the IG-ON state, the driver or the like is in the vehicle, so that it can be noticed by a feeling of strangeness in the behavior or lighting of an alarm on the meter. In the IG-ON state, it may be possible to reset by a mechanism such as a watchdog timer.
 C.本実施形態の動作手順
図6は本実施形態の電子制御装置100のプログラムの書き換え手順を説明するフローチャート図の一例である。図5A、図5Bと比較すると、ステップS35が追加されている。 C. Operation Procedure of this Embodiment FIG. 6 is an example of a flowchart for explaining a program rewriting procedure of the electronic control apparatus 100 of this embodiment. Compared with FIGS. 5A and 5B, step S35 is added.
 すなわち、ステップS30で書き換えモードに移行すると判定された場合、IG判定部45がIG-ON状態か否かを判定する(S35)。これにより、書き換えが始まる前にIG-OFFに操作されたことを検出できる。なお、IG-ON状態か否かの判定は、書き換えモードに移行する前に行ってもよい。 That is, when it is determined in step S30 to shift to the rewrite mode, it is determined whether or not the IG determination unit 45 is in the IG-ON state (S35). Thereby, it can be detected that the IG-OFF is operated before the rewriting starts. Note that the determination as to whether or not the IG-ON state is present may be made before shifting to the rewrite mode.
 IG-OFF状態だった場合(S35のNo)、リセット部46はマイコン11をリセットする(S80)。したがって、サービスマンが書き換えモードに移行した後にIG-OFFに操作した場合、マイコン11は正常動作モードに復帰できる。 When it is in the IG-OFF state (No in S35), the reset unit 46 resets the microcomputer 11 (S80). Therefore, when the service person operates IG-OFF after shifting to the rewrite mode, the microcomputer 11 can return to the normal operation mode.
 また、ステップS10の正誤判定で正常でないと判定された場合(S10のNo)、IG-ON状態か否かが判定されるので、正常動作モードを経ない場合も、IG-OFF状態ではマイコンをリセットできる。 Also, if it is determined in step S10 that it is not normal (No in S10), it is determined whether or not it is in the IG-ON state. Can be reset.
 図7は、図6の手順の変形例である。図6との違いは、ステップS50でNoと判定された場合、ステップS35のIG-ON状態か否かが判定される点である。このように、図7の手順では、周期的に、定期的に、又は、負荷が低下した時などの任意のタイミングで、IG-ON状態か否かを判定する。タイマーを利用して定期的に判定することも有効である。書き換えが完了するまでに複数回、IG-OFF状態か否かを判定することで、書き換え中、IG-OFF状態か否かを検出できる。 FIG. 7 is a modification of the procedure of FIG. The difference from FIG. 6 is that, when it is determined No in step S50, it is determined whether or not the IG-ON state in step S35. As described above, in the procedure of FIG. 7, it is determined whether or not the IG-ON state is set periodically, periodically, or at an arbitrary timing such as when the load decreases. It is also effective to make a regular determination using a timer. By determining whether or not the IG-OFF state is made a plurality of times before the rewriting is completed, it is possible to detect whether or not the IG-OFF state is being rewritten.
 したがって、図5Bのように、ツール50が接続されていない状態でプログラムカウンタの異常により書き換えモードに移行した場合も、IG-OFF状態であることを検出して、マイコン11をリセットして正常動作モードに復帰できる。 Therefore, as shown in FIG. 5B, even when the tool 50 is not connected and the program counter is shifted to the rewrite mode due to an abnormality, the microcomputer 11 is detected and the microcomputer 11 is reset to operate normally. Can return to mode.
 以上、説明したように、本実施例のマイコン11は、書き換えモード中にIG-OFFに操作されてもバッテリ上がりすることを防止できる。 As described above, the microcomputer 11 of the present embodiment can prevent the battery from running out even if it is operated IG-OFF during the rewrite mode.
 本実施例ではIG判定後に正誤判定を行うマイコン11について説明する。正誤判定により処理を振り分けることで、サービスマンが書き換えを行いたいのに誤ってIG-OFFに操作してしまった場合、再度、書き換えを行うことが可能になる。 In this embodiment, the microcomputer 11 that performs correct / incorrect determination after IG determination will be described. By allocating the processing based on correctness / incorrectness determination, if the service person wants to rewrite and accidentally operates IG-OFF, the rewriting can be performed again.
 なお、本実施例において、実施例1にて説明した構成要素は同様の機能を果たすので、主に本実施例の主要な構成要素についてのみ説明する場合がある。 In the present embodiment, the components described in the first embodiment perform the same function, and therefore, only the main components of the present embodiment may be mainly described.
 図8は、本実施例の電子制御装置100のプログラムの書き換え手順を説明するフローチャート図の一例である。図7と比較すると、ステップS37が追加されている。 FIG. 8 is an example of a flowchart for explaining a program rewriting procedure of the electronic control device 100 according to the present embodiment. Compared with FIG. 7, step S37 is added.
 ステップS30で書き換えモードに移行すると判定された場合、IG判定部45がIG-ON状態か否かを判定する(S35)。上記のように、サービスマンが書き換えモードに移行後にIG-OFFに操作したことを検出できる。 If it is determined in step S30 to shift to the rewrite mode, it is determined whether or not the IG determination unit 45 is in the IG-ON state (S35). As described above, it can be detected that the service person has operated IG-OFF after shifting to the rewrite mode.
 IG-OFF状態だった場合(S35のNo)、正誤判定部47は正誤判定を行う(S37)。例えば、サービスマンが書き換え中に誤ってIG-OFFに操作する場合があり得る。この場合、フラッシュメモリ23は途中までしか書き換えられていないので、サービスマンは書き換えを行いたいはずである。また、この場合、正誤判定は正常でないと想定される。 When it is in the IG-OFF state (No in S35), the correctness determination unit 47 performs correctness determination (S37). For example, there may be a case where a serviceman erroneously operates IG-OFF during rewriting. In this case, since the flash memory 23 has been rewritten only halfway, the service person should rewrite it. In this case, it is assumed that the correctness / incorrectness determination is not normal.
 そこで、正誤判定で正常でないと判定された場合(S37のNo)、書き換え部48がメモリの書き換えを行う(S40)。以降の処理は図6と同じである。 Therefore, when it is determined that the determination is not normal (No in S37), the rewrite unit 48 rewrites the memory (S40). The subsequent processing is the same as in FIG.
 一方、正誤判定で正常であると判定された場合(S37のYes)、図6で説明したように、書き換え前にIG-OFFに操作されており、サービスマンに書き換えの意志があるか否か不明なので、リセット部46がリセットすることで正常動作モードに復帰できる(S80)。 On the other hand, if it is determined to be normal by the right / wrong determination (Yes in S37), as described with reference to FIG. 6, it is operated to IG-OFF before rewriting, and whether or not the serviceman has the intention to rewrite. Since it is unknown, the reset unit 46 can be reset to return to the normal operation mode (S80).
 したがって、本実施例のマイコン11によれば、サービスマンが書き換え中に誤ってIG-OFFに操作する場合には再書き込みを、それ以外の場合は正常動作モードに復帰できる。 Therefore, according to the microcomputer 11 of the present embodiment, rewriting can be performed when the serviceman erroneously operates IG-OFF during rewriting, and the normal operation mode can be returned in other cases.
 また、追加されたステップS37の正誤判定は、元々、書き換えプログラムが有しているロジック又はリセット解除直後に実行されるロジックなので、書き換えプログラムの変更コストを抑制することができる。 In addition, since the correctness determination in the added step S37 is originally a logic that the rewrite program has or a logic that is executed immediately after the reset is released, the change cost of the rewrite program can be suppressed.
 なお、本実施例においても、図7と同様に、書き換え完了までにIG-ON状態か否かを適宜判断することができる。 In the present embodiment as well, as in FIG. 7, it can be appropriately determined whether or not the IG-ON state is reached before the rewriting is completed.
 以上、本発明を実施するための形態について実施例を用いて説明したが、本発明はこうした実施例に何等限定されるものではなく、本発明の要旨を逸脱しない範囲内において種々の変形及び置換を加えることができる。 As mentioned above, although the form for implementing this invention was demonstrated using the Example, this invention is not limited to such an Example at all, In the range which does not deviate from the summary of this invention, various deformation | transformation and substitution Can be added.
 例えば、上記の実施例ではIG-ON状態でない場合にリセットしたが、ACC-ON状態でない場合にリセットしてもよい。 For example, in the above embodiment, the reset is performed when the IG-ON state is not set, but the reset may be performed when the ACC-ON state is not set.
 また、マイコンのリセットにより正常動作モードに戻ると説明したが、例えばプログラムカウンタにプログラムOLDのアドレスを設定するなどして正常動作モードに戻ってもよい。 In addition, although it has been described that the microcomputer returns to the normal operation mode by resetting the microcomputer, the normal operation mode may be returned to, for example, by setting the address of the program OLD in the program counter.
 また、マイコンによっては、正常動作モードとプログラム書き換えモードという動作モードの区別が明確でない場合があり、2つの動作モードが区別されていなくてもよい。 Also, depending on the microcomputer, the distinction between the normal operation mode and the program rewrite mode may not be clear, and the two operation modes may not be distinguished.
 また、書き換えが開始されたか否かの判断は、書き換え開始コマンドが送信されることであるとしたが、マイコンがプログラムNEWの最初の一部を受信したこと、又は、プログラムNEWの最初の一部がフラッシュメモリ23に書き込まれたことで、書き換えが開始されたと判断してもよい。 Further, the determination as to whether or not the rewriting has started is based on the fact that the rewriting start command is transmitted. However, the microcomputer has received the first part of the program NEW or the first part of the program NEW. May be determined to be started by rewriting to the flash memory 23.
 また、本願は2013年11月20日に出願した日本国特許出願2013-240225号に基づく優先権を主張するものであり同日本国出願の全内容を本願に参照により援用する。 This application claims priority based on Japanese Patent Application No. 2013-240225 filed on November 20, 2013, the entire contents of which are incorporated herein by reference.

Claims (7)

  1.  記憶部に記憶されているソフトウェアを車両外部から送信されたソフトウェアで更新する電子制御装置であって、
     車両外部又は車両内部からソフトウェアの書き換え要求があった場合に、イグニッションがON状態かOFF状態かを判定する判定手段と、
     イグニッションがOFF状態の場合、当該電子制御装置のマイコンをリセットするリセット手段と、
     イグニッションがON状態の場合、前記記憶部のソフトウェアの書き換えを行う書き換え手段と、を有することを特徴とする電子制御装置。     An electronic control device that updates software stored in a storage unit with software transmitted from outside the vehicle,
    A determination means for determining whether the ignition is in an ON state or an OFF state when a software rewrite request is made from outside or inside the vehicle;
    Reset means for resetting the microcomputer of the electronic control device when the ignition is in an OFF state;
    An electronic control device comprising: rewriting means for rewriting software in the storage unit when the ignition is in an ON state.
  2.  記憶部に記憶されているソフトウェアを車両外部から送信されたソフトウェアで更新する電子制御装置であって、
     車両外部又は車両内部からソフトウェアの書き換え要求があった場合に、イグニッションがON状態かOFF状態かを判定する判定手段と、
     イグニッションがOFF状態の場合、前記記憶部のソフトウェアの誤り検出を行う誤り検出手段と、
     前記誤り検出手段が前記記憶部のソフトウェアの誤りを検出した場合、又は、イグニッションがON状態の場合、ソフトウェアの書き換えを行う書き換え手段と、
     前記誤り検出手段が前記記憶部のソフトウェアの誤りを検出しない場合、当該電子制御装置のマイコンをリセットするリセット手段と、を有することを特徴とする電子制御装置。     An electronic control device that updates software stored in a storage unit with software transmitted from outside the vehicle,
    A determination means for determining whether the ignition is in an ON state or an OFF state when a software rewrite request is made from outside or inside the vehicle;
    When the ignition is in an OFF state, error detection means for detecting an error in software in the storage unit;
    When the error detection means detects a software error in the storage unit, or when the ignition is in an ON state, rewriting means for rewriting software;
    An electronic control device comprising: reset means for resetting a microcomputer of the electronic control device when the error detection means does not detect a software error in the storage unit.
  3.  ソフトウェアの書き換えが始められた後、書き換えが終わるまでの間、前記判定手段は、イグニッションがON状態かOFF状態かを複数回、判定する、
     ことを特徴とする請求項1又は2記載の電子制御装置。     The determination means determines whether the ignition is in an ON state or an OFF state a plurality of times after the software rewrite is started until the rewrite ends.
    The electronic control device according to claim 1, wherein
  4.  前記記憶部に記憶されているソフトウェアの誤り検出を行う誤り検出手段を有し、
     前記誤り検出手段は、前記書き換え手段がソフトウェアの書き換えを完了した場合、前記記憶部のソフトウェアの誤り検出を行い、
     前記誤り検出手段が前記記憶部のソフトウェアの誤りを検出した場合、前記書き換え手段は、再度、ソフトウェアの書き換えを行う、
     ことを特徴とする請求項1記載の電子制御装置。     Having an error detection means for detecting an error in the software stored in the storage unit;
    The error detection means, when the rewriting means has completed rewriting of software, performs error detection of software in the storage unit,
    When the error detection unit detects an error in the software in the storage unit, the rewriting unit rewrites the software again.
    The electronic control device according to claim 1.
  5.  前記誤り検出手段は、前記書き換え手段がソフトウェアの書き換えを完了した場合、前記記憶部のソフトウェアの誤り検出を行い、
     前記誤り検出手段が前記記憶部のソフトウェアの誤りを検出した場合、前記書き換え手段は、再度、ソフトウェアの書き換えを行う、
     ことを特徴とする請求項2記載の電子制御装置。     The error detection means, when the rewriting means has completed rewriting of software, performs error detection of software in the storage unit,
    When the error detection unit detects an error in the software in the storage unit, the rewriting unit rewrites the software again.
    The electronic control device according to claim 2.
  6.  前記マイコンのリセット解除の直後に、前記記憶部のソフトウェアの誤り検出を行う第2の誤り検出手段を有し、
     前記第2の誤り検出手段が前記記憶部のソフトウェアの誤りを検出せず、かつ、前記書き換え要求を取得した場合、前記判定手段はイグニッションがON状態かOFF状態かを判定し、
     前記第2の誤り検出手段が前記記憶部のソフトウェアの誤りを検出した場合、前記判定手段はイグニッションがON状態かOFF状態かを判定し、
     イグニッションがON状態の場合、前記書き換え手段は前記記憶部のソフトウェアの書き換えを行う、ことを特徴とする請求項1又は2記載の電子制御装置。     Immediately after reset release of the microcomputer, the second error detection means for detecting an error in the software of the storage unit,
    If the second error detection means does not detect a software error in the storage unit and acquires the rewrite request, the determination means determines whether the ignition is in an ON state or an OFF state,
    When the second error detection means detects a software error in the storage unit, the determination means determines whether the ignition is in an ON state or an OFF state,
    3. The electronic control device according to claim 1, wherein when the ignition is in an ON state, the rewriting unit rewrites software in the storage unit.
  7.  外部装置と、記憶部に記憶されているソフトウェアを前記外部装置から送信されたソフトウェアで更新する電子制御装置とを有するソフトウェア書き換えシステムであって、
     前記外部装置は、ソフトウェアを記憶するためのソフトウェア記憶部を有し、
     前記電子制御装置は、
     前記外部装置又は車両内部からソフトウェアの書き換え要求があった場合に、イグニッションがON状態かOFF状態かを判定する判定手段と、
     イグニッションがOFF状態の場合、当該電子制御装置のマイコンをリセットするリセット手段と、
     イグニッションがON状態の場合、前記記憶部のソフトウェアの書き換えを行う書き換え手段と、を有することを特徴とするソフトウェア書き換えシステム。     A software rewriting system having an external device and an electronic control device that updates software stored in a storage unit with software transmitted from the external device,
    The external device has a software storage unit for storing software,
    The electronic control device
    A determination means for determining whether the ignition is in an ON state or an OFF state when a software rewrite request is received from the external device or the vehicle;
    Reset means for resetting the microcomputer of the electronic control device when the ignition is in an OFF state;
    A software rewriting system comprising: rewriting means for rewriting software in the storage unit when the ignition is in an ON state.
PCT/JP2014/075108 2013-11-20 2014-09-22 Electronic control device and software rewriting system WO2015076012A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013240225A JP2015098311A (en) 2013-11-20 2013-11-20 Electronic control apparatus and software rewrite system
JP2013-240225 2013-11-20

Publications (1)

Publication Number Publication Date
WO2015076012A1 true WO2015076012A1 (en) 2015-05-28

Family

ID=53179283

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/075108 WO2015076012A1 (en) 2013-11-20 2014-09-22 Electronic control device and software rewriting system

Country Status (2)

Country Link
JP (1) JP2015098311A (en)
WO (1) WO2015076012A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019079205A (en) * 2017-10-23 2019-05-23 トヨタ自動車株式会社 On-vehicle equipment and portable terminal
JP7226937B2 (en) * 2018-07-27 2023-02-21 株式会社デンソーテン Control device, control system and control method
JP7373590B2 (en) * 2020-01-10 2023-11-02 日立Astemo株式会社 Electronic control device and electronic control system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005157637A (en) * 2003-11-25 2005-06-16 Toyota Motor Corp Program writing system and method
JP2008242995A (en) * 2007-03-28 2008-10-09 Denso Corp Electronic control device
JP2012006547A (en) * 2010-06-28 2012-01-12 Toyota Motor Corp Electronic control device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005157637A (en) * 2003-11-25 2005-06-16 Toyota Motor Corp Program writing system and method
JP2008242995A (en) * 2007-03-28 2008-10-09 Denso Corp Electronic control device
JP2012006547A (en) * 2010-06-28 2012-01-12 Toyota Motor Corp Electronic control device

Also Published As

Publication number Publication date
JP2015098311A (en) 2015-05-28

Similar Documents

Publication Publication Date Title
CN109478155B (en) Vehicle-mounted update device, vehicle-mounted update system, and update method of communication device
US7978600B2 (en) Electronic control unit with a plurality of control circuits
JP4518150B2 (en) Electronic control device for vehicle
US20140351460A1 (en) Relay device
US10964135B2 (en) In-vehicle electronic control unit and method for abnormality response processing thereof
JP2017157004A (en) System, method, and computer program for updating programs
US7831678B2 (en) Electronic control apparatus
US10384625B2 (en) Communication device and non-transitory recording medium
JP2018132957A (en) Control device and control program update method
CN110809755A (en) Electronic control system
WO2015076012A1 (en) Electronic control device and software rewriting system
JP2008155736A (en) Electronic control device
JP2008254484A (en) In-vehicle communication system
US11561922B2 (en) Communication apparatus, communication method, program, and communication system
JP7147525B2 (en) Communication device and control method
US7934050B2 (en) Microcomputer for flash memory rewriting
JP2008206390A (en) Switching device and activation method of loading corresponding to the same
JP2018132956A (en) Control device and control program update method
JP3491358B2 (en) Power cut-off detection device
JP2011096087A (en) Processing apparatus and control method
JP7514388B2 (en) Vehicle electronic control device and program rewriting method
JP3960212B2 (en) Electronic control unit
WO2019064644A1 (en) Electronic control device and control program verification method
JP5867350B2 (en) Electronic control device for vehicle
JP6887277B2 (en) Electronic control device for automobiles

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14864740

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14864740

Country of ref document: EP

Kind code of ref document: A1